Mistic backdoor linked to ransomware access broker KongTuke

Security firms Symantec and Zscaler have uncovered a new backdoor malware, dubbed Mistic, which is being deployed by the KongTuke initial access broker (IAB) to compromise corporate networks. KongTuke, active since at least 2024, specializes in breaching organizations and selling that access to ransomware operators, including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. The discovery highlights the growing sophistication of tools used by access brokers to maintain stealth and persistence in targeted environments.

How Mistic operates

Mistic is designed for long-term, low-visibility access to compromised systems. According to Symantec, the malware is typically side-loaded via a legitimate executable, MpExtMs.exe, which loads a malicious DLL (version.dll) that subsequently deploys Mistic under the guise of a Microsoft endpoint security tool (EndpointDlp.dll). This naming convention is likely intended to evade suspicion by blending in with legitimate software.

Once active, Mistic communicates with its command-and-control (C2) infrastructure and can execute a range of commands, including file manipulation, in-memory code execution, and self-termination. Zscaler, which tracks the malware as MTLBackdoor, notes that one of its most potent features is the ability to load Beacon Object Files (BOFs)—small, in-memory programs that expand its capabilities without writing to disk. This technique is commonly associated with red teaming tools like Cobalt Strike and is increasingly used in post-exploitation attacks to avoid detection by security agents.

The infection chain often begins with social engineering attacks, such as those delivered via Microsoft Teams. In at least one documented case, Mistic was deployed shortly after ModeloRAT, another backdoor attributed to KongTuke. The group has also been observed using other tools, including WinPython and Node.js runtimes to execute malicious code, the finger.exe utility to retrieve obfuscated payloads, and malware loaders like MintsLoader and D3F@ck Loader.

Why the discovery matters

The emergence of Mistic underscores the evolving tactics of ransomware-affiliated access brokers. Unlike off-the-shelf malware, custom tools like Mistic are tailored to evade detection and maintain persistence, making them particularly dangerous for organizations with mature security postures. Symantec’s researchers emphasize that the backdoor’s in-memory execution and self-deletion capabilities are hallmarks of an operator seeking long-term, undetected access.

KongTuke’s use of multiple tools and techniques further complicates detection efforts. For example, the group has previously employed ClickFix and its variants (FileFix and CrashFix) to deliver ModeloRAT, as well as fake browser extensions like NexShield and encrypted payloads such as GateKeeper. This multi-tool approach allows the group to adapt to different security environments and evade signature-based defenses.

What to watch

The discovery of Mistic suggests that KongTuke is investing in custom malware development to enhance its access brokerage services. Security teams should expect similar tools to emerge as IABs seek to differentiate themselves in a competitive ransomware ecosystem. Additionally, the use of BOFs and other in-memory techniques may become more prevalent as attackers refine their evasion tactics.

Symantec and Zscaler have released indicators of compromise (IoCs) for Mistic/MTLBackdoor, which organizations can use to hunt for signs of infection. Given KongTuke’s history of targeting sectors like insurance, education, IT, and professional services, companies in these industries should be particularly vigilant.